LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to port forward with IPTABLES... (https://www.linuxquestions.org/questions/linux-security-4/how-to-port-forward-with-iptables-255928/)

Scrag 11-17-2004 07:19 AM
How to port forward with IPTABLES...
 
Hi,

How would I setup port forwarding on my firewall below? For example, if I wanted to forward port 8080 to 192.168.0.5. Below is my firewall script. I have eth0 as my outside internet connection, and eth1 as the LAN. Any suggestions on how to improve this script in general would also be appreciated!! :)

Im also using redhat 9.0 if this helps.

Thanks!

Code:
#!/bin/sh

# set a few variables
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
 
# adjust /proc
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
 
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
 
# setup nat
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
 
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
 
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# blocked hosts
#$iptables -I INPUT -s 212.5.86.163 -j DROP
#$iptables -I FORWARD -s 212.5.86.163 -j DROP
 
# icmp
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
 
# apply icmp type match blocking
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
 
# open ports to the firewall
$iptables -A INPUT -p udp --dport 27960 -j ACCEPT #Q3 Games / Wolf
$iptables -A INPUT -p udp --dport 14567 -j ACCEPT #BF1942
$iptables -A INPUT -p udp --dport 20100 -j ACCEPT #SOF2
$iptables -A INPUT -p udp --dport 12300 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 27900 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 28900 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 23000:23009 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT    #SSH
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT    #HTTP
$iptables -A INPUT -p tcp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p tcp --dport 27650 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27650 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 8767 -j ACCEPT  #TEAMSPEAK
$iptables -A INPUT -p tcp --dport 14534 -j ACCEPT #TS WEB ADMIN

# drop all other packets
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

PiLgRiM 11-17-2004 08:51 AM
you'll want to add at least the following lines. I'm assuming you want to forward external port 8080 to internal 192.168.0.5 on port 80. I'm also assuming your eth1 is your external interface

$iptables -A FORWARD -i eth1 -d 192.168.0.5 --protocol tcp --dport 80 -j ACCEPT
$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 8080 -j DNAT --to 192.168.0.5:80

You really should set up that first line as the following, where $ext_ip is your external IP address assigned to eth1.

$iptables -A PREROUTING -i eth1 -t nat -p tcp -d $ext_ip --dport 8080 -j DNAT --to 192.168.0.5:80

RomKnight 11-17-2004 09:04 AM
[edit]it seems someone writes faster than me :rolleyes: [/edit]

These are the Iptable rules (EXAMPLE) required for port forwarding xxx.xxx.xxx.xxx:8888
to 192.168.0.2:80 .

iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

Scrag 11-17-2004 09:10 AM
T H A N K S !!!

EastonRoyce 12-11-2004 10:14 PM
You'll have to forgive me, I'm a bit of a noob when it comes to IPTABLES. That script of yours is pretty shmick looking scrag. If I wanted to use a script based off of yours on my own system, where would I put it?? Thanks heaps in advance!

Scrag 12-12-2004 02:14 AM
I have this script saved as file under /etc/rc.firewall. To load this automatically on boot up you need to add the line "cd /etc[ENTER] ./rc.firewall" in your startup file "/etc//rc.d//rc.local". rc.local is your "load this on boot" file. Hope this helps as I am typing as I am drunk :) If not, let me know ill get back to you tommorrow when I am sober ;)

EastonRoyce 12-13-2004 04:57 AM
Can I place the Port Forwarding Section any where in the script?
I have created the following rules to foward Bit Torrent, are they correct? Thanks heaps in advance!

#Open Ports
$iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT #BT


#Port Forward
$iptables -A FORWARD -i eth1 -d 192.168.0.203 --protocol tcp --dport 6881:6889 -j ACCEPT
$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 6881:6889 -j DNAT --to 192.168.0.203:6881:6889

My eth0 and eth1 are the same as your own scenario.


All times are GMT -5. The time now is 01:43 AM.